The countdown is on to Keyfactor Tech Days     | Secure your spot today!

Using ACME to Automate Certificates: A Step-by-Step Guide

Certificate Management

Looking for a simple answer to the question, “What is ACME?”

We can help with that! The Automated Certificate Management Environment (ACME) is a protocol defined by the IETF RFC 8555 that automates the issuance, renewal, and revocation of certificates by streamlining interactions between your web server and Certificate Authorities (CAs). 

It was originally developed for Let’s Encrypt; however, ACME is now widely supported by various CAs, public key infrastructure (PKI) vendors, and browsers.

This article will walk you through using ACME for efficient certificate automation, keeping your systems secure, compliant, and up-to-date with minimal manual effort. Let’s dive in!

How to Automate Certificates with Automated Certificate Management Environment

Certificate-related outages and mismanagement can disrupt operations, damage reputation, and create security risks. Automation can allow your company to focus on growth and innovation while staying protected, which ultimately builds customer trust and ensures smooth, secure operations.

Here are the key steps to automating certificates with ACME:

Step 1: Select and configure your ACME client

Your ACME client will manage the entire lifecycle of your certificates, from generation to revocation and renewal.

When choosing an ACME client, make sure it’s compatible with your server environment and that it doesn’t have security flaws that could be exploited. You’ll also want to pick a client that supports the certificate challenge types your domain setup requires. Ideally, go for a client that handles multiple certificate challenge types, like HTTP-01 or DNS-01. 

Additionally, you can choose an ACME client based on its programming language (Bash, Python, etc) or the environment they run in (Docker, Kubernetes, etc). 

Once you’ve selected the client, assign the specific domains it will manage.

Step 2: Choose a certificate authority

The certificate authority’s role is to verify that your client has control over the domain for which you’re requesting a certificate. When picking a certificate authority (CA), take into account the certificate types they provide, their pricing, and the support they offer. Ensure the CA is compatible with the ACME client you selected earlier. Open-source CAs like Let’s Encrypt are widely compatible, but some commercial CAs might have different integration requirements.

Before proceeding, you should run a connection test to make sure your client can successfully communicate with the CA. This test can be as simple as a command or an API call that initiates the certificate request process.

Step 3: Generate key authorization pair

Register your client with the ACME server. From there, generate a private key and a certificate signing request (CSR). Generate another key in the CSR to submit to the ACME server and CA.

ACME may require external account binding. This is an added layer of authentication and security that limits who can request certificates. In this case, the CA will issue a unique account binding key when you create your account on the CA platform. The ACME client will sign the binding key when it registers with the CA, then send the binding to the CA’s ACME server. Once verified, you’re good to go.

Step 4: Generate CSR and send to CA 

Next, your ACME client will send a CSR to the CA to formally request your digital certificate. The CA will then issue domain control challenges to verify your ownership. You’ll typically receive either a DNS or HTTP challenge. For DNS, the CA gives a token that your ACME client must add as a DNS TXT record, which the CA will then query to confirm ownership. For HTTP, your client will create a file with the token at a specific URL on your server. The CA will access this URL to retrieve the token, and once verified, your domain is confirmed.

Step 5: Issue the certificate 

After verifying the signature, the CA proceeds to issue an X.509 digital certificate, which is encoded in base 64. The X.509 certificate usually includes:

  • The client’s public key (from the CSR)
  • Identifying information about the domain
  • The CA’s signature, binding the public key to the domain identity and enabling anyone who trusts the CA’s root certificate to verify that the certificate is authentic and has not been tampered with
  • The validity period, including the start and expiration dates
  • Requested subject alternative name

Step 6: Install the certificate

The agent installs the certificate by placing it in the designated directory on the server’s filesystem, typically in a secure location such as /etc/ssl/certs/ or /etc/letsencrypt/live/<domain>/ for Let’s Encrypt certificates.

Afterwards, you have to set up proper file permissions on both the certificate and private key files to prevent unauthorized access.

Step 7: Automate certificate renewal

You should configure your ACME client to automatically handle certificate renewals before expiration. Remember to set up an automated job if your ACME client doesn’t automatically renew the certificate.  

If you’re using Keyfactor Command, it can issue public trust certificates for you using ACME. Or if your use case is for private trust, EJBCA is an excellent CA to issue private certificates using the ACME protocol.

To manually renew all your certificates:

REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt certbot renew

You can specify a particular certificate for renewal by adding the parameter –cert-name <domain-identifer> to the above command. If the certificates are not yet due for renewal, you can force a renewal by adding the –force-renewal. 

Note: The default threshold for renewal in Certbot is 30 days prior to expiration.

Your Next Steps: A Look at Keyfactor + ACME

Keyfactor offers two powerful ACME solutions: Keyfactor EJBCA and Keyfactor Command.

Keyfactor EJBCA is a flexible and scalable PKI platform that streamlines the issuance and management of digital certificates for devices, users, and workloads. It is a multi-protocol PKI platform and can act as a server to issue certificates using ACME, SCEP, and REST APIs. It also functions as a CA allowing organizations to replace outdated and insecure CA systems with a modern, easy-to-deploy PKI solution, whether in the cloud, on-premise, or as a service. 

Keyfactor Command provides real-time visibility into certificates across private, public, and cloud-based CAs. It enables organizations to tag and organize certificates with metadata, set proactive alerts, and simplify certificate management with automated renewal processes. Keyfactor Command also simplifies audits with detailed logs of certificate changes and offers role-based access controls for secure administration. 

Curious to know more? You can request a demo to brainstorm with our team and discover which solution best fits your organization’s needs.